User-Space Enabled Virtual Private Network

ABSTRACT

This invention includes apparatus, systems, and methods to establish a virtual private network (“VPN”), or a secured network for authenticated and encrypted data transmission to prevent disclosure of private information to unauthorized parties. This invention provides secure and authenticated data transmission from a communication device to another device over any public or private network while using existing standard applications such as email, VoIP, internet browsers, ISR applications, video conferencing, telecommuting, inventory tracking and control, etc. without the need to secure or add encryption features into each specific application. This invention provides the opportunity to selectively secure one or more existing applications with configuration changes that can be made at the user-space level of the software stack and without need for higher level software stack access, such as root access.

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is related to and claims priority from priorprovisional application Ser. No. 61/632,457 filed Jan. 24, 2012 thecontents of which are incorporated herein by reference.

FIELD OF THE INVENTION

This invention relates generally to the field of securing data, andparticularly a method, apparatus, and system for encrypting anddecrypting electronic data from non-secure applications while in transitvia a communications network.

BACKGROUND OF THE INVENTION

Modern electronic communication systems are used prolifically tocommunicate information in the form of electronic data across extensivewire and wireless communication networks. Private, corporate, andgovernment entities use such networks to communicate sensitiveinformation that require privacy and security. However, most publiccommunication networks do not provide adequate means to maintain theprivacy and security of data while in transit. Therefore, electronicdata is vulnerable to malicious use by entities not authorized toreceive the electronic data. This includes the billions of electronictransmissions sent each day via mobile and fixed communications devicessuch as smart phones, tablet PC's, notebook PC's, desktop PC's, or anyother device that transmits over communication networks. Auser-friendly, compatible, and accessible data encryption solution isneeded to protect the privacy and security for the users of suchdevices.

Specialized networks and software applications are available to helpremedy this issue, however, such remedies are too expensive, cumbersome,and incompatible for use by a significant number of devices used by thegeneral population. Many existing encryption systems require acompletely separate communications network segregated from the generalpopulation to maintain security, however, such a solution is impracticalfor general use. Other solutions provide highly sophisticated softwareapplications that enable security with encryption algorithms.Unfortunately, these software applications typically require hardwareand software customization at both the client and server ends. Suchcustomization results in added user cost and limited availability to thegeneral population. Hence, existing solutions provide limited capabilityto secure electronic data transmissions, but due to their inherentdesigns are limited for use by the general population.

An example where this issue is often encountered involves the use ofdevices that use the Android operating system. Android-based devices arelimited in protecting electronic data because Android-based devices havelimited virtual private network (“VPN”) capabilities. The Androidoperating system requires that users have elevated permission levelssuch as root permissions to install or operate VPN capabilities. Hence,existing VPN solutions have limited use on Android-based devices.

This invention provides a novel method, apparatus, and system to protectelectronic data transmissions that is less cumbersome for the end userthan existing solutions. This invention enables a secure communicationtunnel, or VPN, on a communication device completely within theuser-space of an operating system for secure transmissions over existingpublic communication networks. This invention is also compatible withthe most prolifically used mobile communication devices and existingsoftware applications without the need to add security into eachspecific application.

BRIEF SUMMARY OF THE INVENTION

In one embodiment of the invention a system for establishing a securecommunication tunnel to transmit electronic data across a communicationnetwork from a communication device with a non-secure application to aremote application system comprises a first communication device. Next anon-secure application is installed on the communication device. Next anetwork socket connection is coupled to the non-secure application. Nexta monitor device is coupled to the network socket connection. Next acryptographic application device is coupled to the monitor device. Nexta local communication port is coupled to the cryptographic applicationdevice. Next a secure communication tunnel is connected to the localcommunication port and a remote communication port of the remoteapplication system. Next the remote communication port is coupled to asecond cryptographic application device. Next a server is connected tothe second cryptographic application device. Next a second communicationdevice is coupled to the server. Finally, the system is reversible sothe second communication device can transmit electronic data to thefirst communication device over the established secure communicationtunnel.

In one embodiment of the invention a method for establishing a secureand protected communication tunnel to transmit electronic data across acommunication network from a communication device with a non-secureapplication to a remote application system comprises the first step ofconfiguring the communication device's cryptographic application devicewith identifying information for a remote application system. Next alocal communication port from the communication device is associatedwith the cryptographic application device. Next the non-secureapplication is configured to transmit data through a specific networksocket connection. Next the cryptographic application device establishesa secure and authenticated connection to a second cryptographicapplication device of the remote application system. Next a monitormonitors data transmitted through the network socket connection. Nextthe monitor directs the data to the cryptographic application device.Next the cryptographic application device prepends the data with theidentifying information for the remote application system. Next thecryptographic application device encrypts the appended data. Next theencrypted data is transmitted via the secure and authenticatedconnection to the second cryptographic application device of the remoteapplication system. Next the second cryptographic application deviceauthenticates the transmission. Next the encrypted data is decrypted.Next the decrypted data is transmitted to a server. Next the server usesthe identifying information to determine the second communicationdevice. Finally, the communication method is reversible and the secondcommunication device can transmit electronic data to the firstcommunication device over the established secure communication tunnel.

BRIEF DESCRIPTION OF THE DRAWINGS

Features and advantages of the claimed subject matter will be apparentfrom the following detailed description of embodiments consistenttherewith, which description should be considered with reference to theaccompanying drawings, wherein:

FIG. 1 is a diagram illustrating how a typical VPN is set up on acommunications device in accordance with known prior art;

FIG. 2 is a diagram of an exemplary embodiment for establishing a VPN inaccordance with the teachings of the present invention;

FIG. 3 is a diagram of an exemplary embodiment for a system to establisha secure communication tunnel to transmit electronic data across acommunication network from a communication device with a non-secureapplication to a remote application system in accordance with theteachings of the present invention;

FIG. 4 is a diagram of an exemplary embodiment for the reversible systemto establish a secure communication tunnel to transmit electronic dataacross a communication network from the second communication device witha non-secure application back to the first communication device inaccordance with the teachings of the present invention;

FIG. 5 is a diagram of an exemplary embodiment for a method to establisha secure and protected communication tunnel to transmit electronic dataacross a communication network from a communication device with anon-secure application to a remote application system in accordance withthe teachings of the present invention.

DETAILED DESCRIPTION OF THE INVENTION

The following describes the details of the invention. Although thefollowing description will proceed with reference being made toillustrative embodiments, many alternatives, modifications, andvariations thereof will be apparent to those skilled in the art.Accordingly, it is intended that the claimed subject matter be viewedbroadly. Examples are provided as reference and should not be construedas limiting. The term “such as” when used should be interpreted as “suchas, but not limited to.”

This invention enables a secure communication tunnel, or virtual privatenetwork (“VPN”), on a communication device completely within theuser-space of the operating system. The invention allows a communicationdevice with an existing non-secure software application to leveragesecure and authenticated communications between the communication deviceand a server, or another communication device without the need formodifying the existing software application's source code. FIG. 1illustrates the device software stack 100 for a typical VPN method whichrequires modifying the operating system 160, IP stack 150, devicedrivers 170, and hardware abstract layer/firmware 180—all of whichrequire elevated privileges such as root privileges 120 to install oroperate the VPN software on a communication device. FIG. 2 illustratesthe device software stack 200 for a VPN approach embodied by thisinvention. This invention does not require configuration changes to thenon-user space 220 of the device software stack 200. Configurationchanges 230 are required only at the user-space 210 layer and no changesare required to the operating system 260, IP stack 250, device drivers270, and hardware abstract layer/firmware 180, nor does it require rootprivileges 220 to install or operate. The invention may be set up on acommunication device completely within the user-space 210 and with thecredentials of the current device user.

FIG. 3 is a diagram of an exemplary embodiment for a system 300comprising a first communication device 310. The communication device310 may include an electronic communication or computing device such asa smartphone, tablet, fixed personal computer, mobile computer, or anycommunication device that enables one computer or electronic device tocommunicate with another. Next a non-secure application 320 is installedon the communication device 310. The non-secure application 320 mayinclude a software application installed within the software stack 321of the communication device 310. The non-secure application 320 may be acommercially available off-the shelf (“COTS”) software applicationwithout an integrated data encryption capability. Such a non-secureapplication 320 may include standard software applications such asEmail, SIP-based VoIP clients, and video conferencing applications orany other software application in which communicating data across acommunication network is a function of the application.

Next a network socket connection 330 is coupled to the non-secureapplication 320. The network socket connection 330 constitutes amechanism for delivering data packets 301 to the appropriate applicationprocess, based on a combination of local and remote IP addresses andport numbers. Each socket connection is mapped by the operating systemto a communicating application process. In other words, the non-secureapplication 320 is configured with the network socket connection 330with a server 340 set to local-host and a defined port. So when thenon-secure application 330 attempts to connect to an external server340, the non-secure application 320 will open up a network socketconnection 330 to the local-host and the defined port.

Next a monitor device 350 is coupled to the network socket connection330. The monitor device 350 monitors the network socket connection 330for data packet 301 transmissions from the non-secure application 320.The monitor device 350 may be a programmable computer, electronicdevice, or a software application. The monitor device 350 utilizes thenetwork socket connection 330, such as TCP and UDP sockets to acceptincoming data packets 301 from the non-secure applications 320.

Next a cryptographic application device 360 is coupled to the monitordevice 350. The cryptographic application device 360 retrieves thedestination information for the data packet 301 from a database orpredefined connection information. The destination information mayinclude the data packet's 301 final destination information such as adestination server 340 name, IP address, port number, and deviceauthentication information. The cryptographic application device 360prepends the data packet 301 with the destination information and thenencrypts the entire data into an encrypted data packet 304. Thecryptographic application device includes a cryptographic engineconsisting of hardware and, or software that utilizes a data encryptionalgorithm to secure data from unauthorized access. The cryptographicapplication device may include a stand-alone module consisting of thenecessary algorithm data path and control processor chips and associatedsoftware. Likewise the cryptographic application device may beintegrated within the communication device. In short, the cryptographicapplication device transforms the plaintext, non-encrypted data packet301 using an encryption algorithm, or a cipher, to make the dataunreadable to anyone except those possessing special knowledge, a key,to decrypt and make the data readable.

Next a local communication port 370 is coupled to the cryptographicapplication device 360. The local communication port 370 is coupled to acommunication network 380 such as a public or private internet,telecommunications, or other network capable of transmitting electronicdata packets 304. The local communication port 370 is capable ofreceiving encrypted data packets 304 transmitted by the cryptographicapplication device 360 and transmitting the encrypted data 304.

Next a secure communication tunnel 390 is connected to the localcommunication port 370 and a remote communication port 391 of the remoteapplication system 392. The secure communication tunnel 390 may includea virtual private network (“VPN”) or any communication connection thatuses primarily public telecommunication infrastructure, such as theInternet, to provide remote users access to a centrally organizationalnetwork, or private network. Multiple secure tunnels 399 may beestablished at any time allowing encrypted data 304 from variousnon-secure applications to transmit across more than one securecommunication tunnel 399. Configuration regarding which securecommunication tunnel 390 encrypted data 304 transmits across may bepreconfigured or automatically established such as by random generation,or depending on which network 380 the remote application system 392 isassociated with.

Next the remote communication port 391 is coupled to a secondcryptographic application device 394. The secure communication tunnel390 is coupled to the remote application system 392 via the remotecommunication port 391. The remote communication port 391 may be aserial port or a parallel port with such interfaces as Ethernet,FireWire, and USB or other such interface intended to interface with acommunication device.

Next a second cryptographic application device 394 is coupled to theremote communication port 391 to receive the encrypted data 304. Thesecond cryptographic application device 394 is a cryptographic engineconsisting of hardware and, or software that utilizes a data encryptionalgorithm to secure data from unauthorized access. The secondcryptographic application device 394 may include a stand-alone moduleconsisting of the necessary algorithm data path and a control processorchips and associated software. Likewise the second cryptographicapplication device may be integrated within a server, computer,electronic or communication device within the remote application system392. The second cryptographic application device 394 first authenticatesthe data packet 304 as one from a known and trusted source then ittransforms the encrypted data 304 using a decryption algorithm, or akey, to make the data readable. With the decrypted data 307, the secondcryptographic application device 394 is able to identify the data's 307final destination information such as a destination server 340 name, IPaddress, port number, and device authentication information. Ifdecryption of authentication fails, the encrypted data packet 304 isdropped. The second cryptographic application device 394 uses the data's307 final destination information to initiate a connection to a server340 within its private network 393. The second cryptographic applicationdevice 394 will now track this connection to the server 340 andassociate it with the first communication device's 310 destinationinformation such as the IP address and local port number to facilitatecommunication back to the first communication device 310. Once theconnection to the server 340 is established, the second cryptographicapplication device 394 sends the decrypted data 307 to the server 340.

Next a server 340 is coupled to the second cryptographic applicationdevice 394. The server 340 may be a software program running to servethe computational or communication tasks of the non-secure application320, or the server 340 may be a physical computer dedicated to runningone or more applications to serve the needs of communications devices(i.e. 310 and 395) attached to the network 380. The server 340 mayinclude an email-server, computer, server, switch, gateway, router,database server, file server, mail server, print server, web server, orother electronic or computing device capable of directing electronicdata to communication devices.

Next a second communication device 395 is coupled to the server 340. Thesecond communication device 395 may include an electronic communicationor computing device such as a smartphone, tablet, fixed personalcomputer, mobile computer, or any communication device that enables onecomputer or electronic device to communicate with one another.

The invention thus far describes the remote application system 392 withdiscreet devices including the remote communication port 391, secondcryptographic application device 394, server 340, and secondcommunication device 395. However, these discreet devices may beintegrated into fewer devices that perform the same functions asdescribed with each discreet device. For example, the secondcommunication device 395 may be an apparatus that included features thatenable it to function as the remote communication port 391, secondcryptographic application device 394, and server 395.

Finally as shown in FIG. 4 the system 400 is reversible so the secondcommunication device 495 can transmit electronic data 404 to the firstcommunication device 410 over the established secure communicationtunnel 490. The entire connection is reversed when the secondcommunication device 495 responds to the incoming data from the firstcommunication device 410. The response data 408 is sent to the server440 and forwarded to the second cryptographic application device 494.The second cryptographic application device 494 retrieves the firstcommunication device's 410 destination information such as the IPaddress and local port number from memory 498, which it previouslystored from associating the initial data transfer to the first andsecond communication devices 410 and 495. The second cryptographicapplication device 494 prepends the data 407 with the destinationinformation and then encrypts the entire data into an encrypted datapacket 404. The encrypted data packet 404 is then transmitted across thesecure communication tunnel 490. The first cryptographic applicationdevice 460 authenticates the transmission as being from a known andtrusted source, and then it decrypts the data 401. The encrypted datapacket 404 may be discarded if the decryption or authentication fails.After decryption and authentication, the first cryptographic applicationdevice 460 transmits the decrypted data packet 401 via the associatednetwork socket connection 430 identified within the response data 401.The monitor 450 observes the data transmission since it has beenmonitoring the configured network socket connection 430 and forwards thedecrypted data packet 401 to the non-secure application 420 thuscompleting the data transmission interchange.

FIG. 5 is a diagram of an exemplary embodiment for a method 500 toestablish a secure and protected communication tunnel to transmitelectronic data across a communication network from a communicationdevice with a non-secure application to a remote application systemcomprising the first step of configuring the cryptographic applicationdevice 510 with identifying information such as the communicationprotocol, server names, IP addresses, remote port numbers, etc. for theremote application system. This configuration step may also beauto-configured on the communication device, or provisioned by a networkadministrator. The cryptographic application device retrieves theidentifying information from a database or predefined connectioninformation. The identifying information may include the data's finaldestination information such as a destination server name, IP address,port number, and device authentication information. The cryptographicapplication device prepends the data with the destination informationand then encrypts the entire data into a data packet.

Next a local communication port from the communication device isconfigured with the cryptographic application device 520. This enablesdata to be transmitted from a specific communication port that can bemonitored to detect when encrypted and authenticated data needs to beauthenticated and decrypted. This also enables a device on the other endof the communication transmission to identify when a communication isfrom a trusted source for proper authentication and data decryption. Forexample, the second cryptographic application device can determine whena data transmission from any device is from a trusted source and in needof decryption by recognizing the data transmission from thecommunication port. This configuration step may also be auto-configuredon the communication device, or provisioned by a network administrator.

Next the non-secure application is configured to transmit data through aspecific network socket connection 530. The network socket connectionconstitutes a mechanism for delivering data packets to the appropriateapplication process, based on a combination of local and remote IPaddresses and port numbers. Each socket is mapped by the operatingsystem to a communicating application process. In other words, thenon-secure application is configured with the network socket connectionfor a server set to local-host and a defined port. So when thenon-secure application attempts to connect to an external applicationserver, the non-secure application will open up a socket connection tothe local-host and the defined port. This enables the monitor to keeptrack of data transmission from any number of non-secure applications.The monitor will recognize any data transmission from this defined portas one destined for the secure communication tunnel. As such, themonitor will reroute the transmission for encryption and transmissionthrough the secured communication tunnel. This configuration step mayalso be auto-configured on the communication device, or provisioned by anetwork administrator.

Next the cryptographic application device establishes a securecommunication tunnel, or secure and authenticated connection, to asecond cryptographic application device of the remote application system540. The cryptographic application device is set up to seek a predefinedsecond cryptographic application device within a known remoteapplication system. For example, the cryptographic application devicemay be programmed to establish connection to a gateway server from aservice provider that is dedicated to receiving the encrypted data,authenticating the transmission is from a trusted source, decrypting thedata, and forwarding the decrypted data to an end client, or secondcommunication device. Multiple secure communication tunnels may beestablished at any given time allowing the non-secure application datato traverse any given tunnel, which may depend upon the communicationdevice or application configuration. The configurations regarding whichsecure communication tunnel an application traverses can bepreconfigured or automatic, based on random generation or depending onthe network that the remote application system is connected. Thisconfiguration step may also be auto-configured on the communicationdevice, or provisioned by a network administrator.

Next a monitor monitors data transmitted through the network socketconnection 550. The monitor device monitors the network socketconnection for data transmissions from the non-secure application. Themonitor device may be a programmable computer, electronic device, or asoftware application. The monitor device utilizes the network socketconnection, such as TCP and UDP sockets to accept incoming connectionfrom the non-secure applications. The monitor continuously proxies eachconfigured non-secure application by monitoring the predefined networksocket connections. This works because each non-secure application, suchas an email client, is configured to point to the communication device'slocal IP address and a specific port where the monitor is “listening.”

Next the monitor directs the data to the cryptographic applicationdevice 560. Upon detecting a data transmission on a configured socketconnection, the monitor will direct the data transmission to theapplication device. Next the cryptographic application device prependsthe data with the identifying information for the remote applicationsystem 570. The cryptographic application device retrieves thedestination information from a database or predefined connectioninformation. The destination information may include the data's finaldestination information such as a destination server name, IP address,port number, and device authentication information. The cryptographicapplication device prepends the non-secure application data with thedestination information and next encrypts the entire data into a datapacket 580. In short, the cryptographic application device transformsthe plaintext data using an encryption algorithm, or a cipher, to makethe data unreadable to anyone except those possessing special knowledge,i.e. a key, to decrypt and make the data readable.

Next the encrypted data is transmitted via the secure and authenticatedconnection to the second cryptographic application device of the remoteapplication system 590. The cryptographic application device transmitsthe encrypted data via a local port and across the network via thesecure communication tunnel. On the other end of the securecommunication tunnel is a remote communication port coupled to thesecond cryptographic application device to receive the encrypted data.The second cryptographic application device authenticates the datatransmission as one from a known and trusted source 591 then ittransforms the encrypted data using a decryption algorithm, or a key, tomake the data readable 593. With the decrypted data, the secondcryptographic application device is able to identify the data's finaldestination information such as a destination device name, IP address,port number, and device authentication information. If decryption ofauthentication fails, the data packet is dropped. The secondcryptographic application device uses the data's final destinationinformation to initiate a connection to an application server within theprivate network of the remote application system. The secondcryptographic application device will also track the connection to theapplication server and associate it with the first communicationdevice's identifying information such as the IP address and local portnumber to facilitate communication back to the first communicationdevice. Once the connection to the application server is established,the second cryptographic application device sends the decrypted data tothe application server 595.

Next an application server connected to the second cryptographicapplication device receives the decrypted data 597. The applicationserver may be a software program running to serve the computational orcommunication tasks of the non-secure application. The applicationserver may also be a physical computer dedicated to running one or moreapplications to serve the needs of communications devices on thenetwork. The application server may include an email-server, computer,server, switch, gateway, router, database server, file server, mailserver, print server, web server, or other electronic device capable ofdirecting electronic data to a communication device. The applicationserver uses the destination information to determine which end device totransmit the decrypted data. For example, the application server may usethe device name, IP address, or port number to determine the secondcommunication device to transmit the data.

Next the decrypted data is transmitted 599 to a second communicationdevice coupled to the application server. The second communicationdevice may include an electronic communication or computing device suchas a smartphone, tablet, fixed personal computer, mobile computer, orany communication device that enables one computer or electronic deviceto communicate with another.

Finally, the communication method is reversible so the secondcommunication device can transmit electronic data back to the firstcommunication device over the established secure communication tunnel,as previously described in the specification, thus completing the datatransmission interchange.

The embodiments of this invention are especially applicable to standardAndroid-based applications because Android devices are limited to theirdata encryption capabilities due to the need to have elevatedpermissions such as root permissions to install data encryptionsoftware. This invention overcomes this issue and does not require rootpermissions to install and configure non-secure applications with dataencryption capabilities. The embodiments of this invention provide amethod and system to establish a virtual private network (“VPN”), or asecured and protected network for authenticated and encrypted datatransmission to prevent disclosure of private information tounauthorized parties. This invention enables user's of Android-basedcommunication devices to use COTS standard applications without the needto add security features to the applications. In other words, thisinvention provides secure and authenticated data transmission from acommunication device to any public or private network while usingexisting standard applications such as email, VoIP, internet browsers,ISR applications, video conferencing, telecommuting, inventory trackingand control, etc. without the need to secure or add encryption featuresinto each specific application. This invention provides the opportunityto selectively secure one or more existing applications withconfiguration changes that can be made at the user-space level of thesoftware stack.

Throughout this description, references were made to devices coupledtogether in a manner that allows the exchange and interaction of data,such that the operations and processes described may be carried out. Forexample, the devices may be coupled with electrical circuitry, orthrough wireless networks that allow the devices to transfer data,receive power, execute the operations described, and provide structuralintegrity. Reference was also made to communication between a first andsecond communication device, however the invention is scalable tocommunication across any number of devices. The invention may also beenabled with more devices than described in the specification. Forexample, any number of network socket connections, monitors,cryptographic application devices, communication ports, securecommunication tunnels, servers, and communication devices may beutilized to enable this invention.

The terms and expressions which have been employed herein are used asterms of description and not of limitation, and there is no intention,in the use of such terms and expressions, of excluding any equivalentsof the features shown and described (or portions thereof), and it isrecognized that various modifications are possible within the scope ofthe claims. Other modifications, variations, and alternatives are alsopossible. Accordingly, the claims are intended to cover all suchequivalents.

What is claimed is:
 1. A method to establish secure communication tunnels to transmit data across a communication network from a communication device with a non-secure application comprising: configuring the communication device's cryptographic application device with the identifying information of a remote application system; associating a local communication port of the communication device with the cryptographic application device; configuring the communication device's non-secure application to transmit data through a specific network socket connection; establishing secure bi-directional communication tunnels between the communication device and the remote application system; monitoring data transmitted through the communication device's network socket connection and upon detecting a data transmission on the network socket connection, directing the data transmission to the communication device's cryptographic application device; using the cryptographic application device to prepend the transmitted data with the remote application system's identifying information and encrypting the transmitted data and prepended identification information into an encrypted data packet; transmitting the encrypted data packet via the secure communication tunnel to a remote communication port coupled to the remote application system; using the remote application system's cryptographic application device to first authenticate the data transmission as one from a known and trusted source and then to decrypt the encrypted data; identifying the data's final destination from the decrypted prepended data and initiating a connection to an appropriate application server of the remote application system; allowing the remote application system's cryptographic application device to keep track of the connection information of the application server to be associated with the communication device's identifying information; once the connection to the application server is established, the second cryptographic application device sends the decrypted data to the application server; using the application server to transmit the decrypted data to a second communication device and; completing the data transmission exchange when the second communication device transmits data back to the first communication device over the secure bi-directional communication tunnels.
 2. The method of claim 1, wherein the identifying information includes the data's final destination information such as a destination server name, IP address, port number, and device authentication information.
 3. The method of claim 1, wherein each socket is mapped by the operating system to a communicating application such that the non-secure application is configured with the network socket connection for a server set to local-host and a defined port, so when the non-secure application attempts to connect to an external application server, the non-secure application will open up a socket connection to the local-host and the defined port.
 4. The method of claim 1, wherein the monitor keeps track of data transmission from any number of non-secure applications and recognizes any data transmission from the defined port as one destined for the secure communication tunnel, and thus the monitor reroutes the transmission for encryption and transmission through the secured communication tunnel.
 5. The method of claim 1, wherein the configurations regarding which secure communication tunnel an application traverses can be preconfigured, automatic, randomly assigned, or dependent on which network the remote application system is connected.
 6. The method of claim 1, wherein the monitor device continuously proxies each configured non-secure application by monitoring the predefined network socket connections for data transmissions from the non-secure application utilizing the network socket connection.
 7. The method of claim 1, wherein the data packet is dropped if decryption or authentication fails.
 8. The method of claim 1, wherein the opportunity to selectively secure one or more non-secure applications with configuration changes are made at the user-space level of the software stack.
 9. A system for establishing a secure communication tunnel to transmit data across a communication network from a communication device with a non-secure application with modifications made only within the user-space of the communication device's software stack comprising: a first communication device; non-secure applications installed on the first communication device; network socket connections coupled to the non-secure applications; monitor devices coupled to the network socket connections; cryptographic application devices coupled to the monitor devices; local communication ports coupled to the cryptographic application devices; secure bi-directional communication tunnels connected to the local communication ports and a remote communication port of a remote application system; a second cryptographic application device coupled to the remote communication port; an application server connected to the second cryptographic application device; and a second communication device coupled to the application server.
 10. The system of claim 9, wherein, the communication devices comprise smartphones, tablets, fixed personal computers, mobile computers, or any communication device that enables one device to communicate with another.
 11. The system of claim 9, wherein the non-secure applications are commercially available off-the shelf (“COTS”) software applications without an integrated data encryption capability.
 12. The system of claim 9, wherein the non-secure applications comprise Email, SIP-based VoIP clients, video conferencing applications or any other software applications in which communicating data across a communication network is a function of the applications.
 13. The system of claim 9, wherein the non-secure applications comprise Android-based applications with limited data encryption capabilities requiring elevated permissions such as root permissions to install data encryption software.
 14. The system of claim 9, wherein the network socket connections are mapped by the communication device's operating system.
 15. The system of claim 9, wherein the cryptographic application device comprises a cryptographic engine comprising of hardware and software that utilizes a data encryption algorithm to secure data from unauthorized access.
 16. The system of claim 9, wherein a secure communication tunnel comprises a virtual private network (“VPN”) or any communication connection that uses public infrastructure, such as the Internet, to provide remote users access to a centrally organizational network, or private network.
 17. The system of claim 9, wherein the communication ports comprise a serial port or a parallel port with interfaces such as Ethernet, FireWire, USB, and other interfaces intended to interface with a communication device.
 18. The system of claim 9, wherein the cryptographic application device comprises the necessary algorithm data path, control processor chips, and software integrated within a server, computer, electronic or communication device within the remote application system.
 19. The system of claim 9, wherein the application server comprises an email-server, computer, server, switch, gateway, router, database server, file server, mail server, print server, web server, or other device capable of directing electronic data to communication devices.
 20. A non-transient computer-readable medium which stores a set of instructions which when executed performs a method for establishing a secure communication tunnel to transmit data across a communication network from a communication device with a non-secure application comprising: configuring the communication device's cryptographic application with the identifying information of a remote application system; associating a local communication port of the communication device with the cryptographic application; configuring the communication device's non-secure application to transmit data through a specific network socket connection; establishing secure bi-directional communication tunnels between the communication device and the remote application system; monitoring data transmitted through the communication device's network socket connection and upon detecting a data transmission on the network socket connection, directing the data transmission to the communication device's cryptographic application; using the cryptographic application to prepend the transmitted data with the remote application system's identifying information and encrypting the transmitted data and prepended identification information into an encrypted data packet; transmitting the encrypted data packet via the secure communication tunnel to a remote communication port coupled to the remote application system; using the remote application system's cryptographic application to first authenticate the data transmission as one from a known and trusted source and then decrypting the encrypted data; identifying the data's final destination from the decrypted prepended data and initiating a connection to an appropriate application server of the remote application system; allowing the remote application system's cryptographic application to keep track of the connection information of the application server to be associated with the communication device's identifying information; once the connection to the application server is established, the second cryptographic application sends the decrypted data to the application server; using the application server to transmit the decrypted data to a second communication device and; completing the data transmission exchange when the second communication device transmits data back to the first communication device over the secure bi-directional communication tunnels. 